Microsoft is offering more than $250,000 to researchers who develop new security defenses to protect Windows users against attacks that exploit software bugs.

Microsoft's Blue Hat Prize: http://www.microsoft.com/security/bluehatprize/ announced on Wednesday at the Black Hat security conference will pay $200,000 for the best “novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities.” The two runners up will receive $50,000 and a MSDN Universal subscription valued at $10,000, respectively.

“The Microsoft BlueHat Prize contest is designed to generate new ideas for defensive approaches to support computer security,” the software maker's announcement stated. “As part of our commitment to a more secure computing experience, we hope to inspire security researchers to develop innovative solutions intended to address serious security threats.”

Microsoft over the years has added an alphabet soup of protections to its software that are designed to mitigate the damage that can be done when hackers discover buffer overflows and other bugs that inevitably afflict any complex piece of code. ASLR, or address space layout randomization; DEP, or data execution prevention; SEHOP, or structured exception handling overwrite protection; and SafeSeh are just some of the examples.

The protections aren't intended to prevent bugs, but rather to prevent attackers from exploiting them to steal data or remotely execute malicious code on vulnerable systems.

“This is the first and largest incentive prize ever offered by Microsoft, and possibly the industry, for defensive computer security technology,” Matt Thomlinson, general manager of Microsoft’s Trustworthy Computing Group, wrote here: http://blogs.technet.com/b/msrc/archive/2011/07/27/bluehat.aspx "In the age of increased risk of attacks on personal, corporate and government computer systems, Microsoft recognizes the need to encourage and nurture innovation in the area of exploit mitigations."

Wednesday's announcement came a week after Facebook joined Mozilla and Google in paying cash bounties to researchers who privately report security vulnerabilities in their software and services: http://scforum.info/index.php/board,21.0.html Microsoft continues to steadfastly refuse to reimburse bug discoverers for the time and expertise they provide in helping stamp out bugs on the Windows platform.

"Microsoft's first ever bug bounty programme has resulted in payouts totalling $28,000 to security researchers who found flaws in the preview release of Internet Explorer 11.

Redmond offers a maximum reward of $11,000 to researchers who found security vulnerabilities in pre-release versions of IE 11 during the period of the bug bounty programme, which ran for a month from 26 June. In the event Microsoft paid out $28k to six researchers who collectively reported 15 different bugs.

Google engineers Ivan Fratric and Fermin J Serna received $1,100 and $500, respectively, for uncovering lesser flaws. Both these bounties were donated to charity.

Bug bounty programmes have become commonplace across the IT industry over recent years. The schemes motivate researchers to report flaws to vendors, rather than selling details of bugs to TippingPoint's Zero Day Initiative or hawking them through exploit brokers or vulnerability marketplaces: http://blog.bugcrowd.com/list-of-active-bug-bounty-programsGoogle's bug bounties are the best known and most financially generous.

The IE 11 bug-hunting season has closed but Microsoft is still offering a rather more generous $100,000 for "truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview)": http://www.microsoft.com/security/msrc/report/bountyprograms.aspx#And this can be topped up by a reward of up to $50,000 for ideas on how to defend against identified attacks."